20
Sat, Jul
2 New Articles

Murphy’s Security Law

Commentary
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Holes are everywhere. Address them before someone addresses you.

A couple articles ago, I talked about the need for modernizing encryption on our IBM i partitions. Shutting one door can shut others, and shutting other doors may give you a false sense of security when you have a few windows open. You can drive yourself batty looking for these holes, but every now and then a hole finds you.

Maybe it’s because of a heightened sense of awareness that I’m seeing security issues in places I’ve never seen them in before. Maybe it’s just Murphy’s Law, but it seems everywhere I looked in the last week I saw security holes in my environment. Or even worse, the exploits of security holes in my environment.

There are some lessons learned here that I’d like to share with you.

Issue #1: EDI Certificate Replacement

This should’ve been a really positive event. We have trading partners that send information to us over EDI and vice versa, like many other companies do. We encrypt that data, although it’s actually managed by people outside IT. That’s a story in and of itself, but the lines of communication are open between departments, and I was asked to update the EDI software in order to use a new SHA-2 certificate required between us and a trading partner. The trading partner is mandating SHA-2 encryption, which is great news. I’ve written ad nauseum about the dangers of SHA-1, and it’s great to see companies want to ensure their communication is as secure as possible.

Then I noticed that the EDI team had set up the application to use 3DES ciphers.

Ouch.

The trading partner didn’t care about what ciphers were used. Well now. Ain’t that a pickle. Use SHA-2 but with a highly vulnerable cipher? Nope. We mandated AES ciphers, and the trading partner was fine with that. This is one of those “false sense of security” issues. Without that extra check, the ciphers used would’ve been vulnerable to the lovely SWEET32 vulnerability among others. Now, SWEET32 hasn’t been seen in the wild, much like POODLE or BEAST hasn’t. That doesn’t mean they aren’t dangerous. Nobody wants to be the first. The point is, we need to be disabling weak ciphers and enabling only strong ones if at all possible.

Please ensure your applications are running with a SHA-2 certificate, good ciphers, and TLS 1.1 or 1.2. That’s the magic three-tiered combination. Anything less than that puts your company data at risk.

Issue #2: Cryptolocker

This is one of those scenarios in which you’re damned if you do and damned if you don’t. Here’s the story. We were notified in October that we are closing down a branch office in December. The thought was to not give that particular office the new antivirus product, which is now our standard. Plus, it would be for only two months, and for the most part they’d be covered with the older, but still functional antivirus. That office has only about 10 computers. A minor risk to save some cash, right?

The gamble didn’t pay off.

Two people in that office managed to go to the same website to inadvertently pull down a lovely cryptolocker variant that encrypted both laptops and then reached out and partially encrypted a mounted Windows file share. Luckily, we do backups, and those users didn’t have a lot of folder authority on the file share. Either way, it could’ve been much worse. In the end, we had to go to backup tapes for the file share, and two laptops were completely pooched of usable data.

Lesson learned: Protect everyone all the way, no matter what. Shortcuts cause pain.

There is a silver lining to this breach. In the last two months, I did a number of security seminars for our users, attempting to scare the heck out of them with talk of vulnerabilities, viruses, and phishing. I even went to Human Resources and made it a mandatory seminar for everyone.

It’s funny. Warehouses or manufacturing plants don’t let anyone operate a forklift or a scissor lift without training or certification. But when a new office employee comes on board, we just give them a laptop, a smartphone, and a “call us if you need us” send-off. Maybe a link to an IT policy or acceptable-use policy. Users are seldom given an initial boot camp on how to use a computer safely. How can we expect them to make informed decisions if we don’t arm them with some training? Informed decisions are one thing. How do we know a user won’t accidentally take down a network or a server because they don’t know what to do if confronted with a dangerous situation?

In one of my sessions, I told them if something slips past the spam and virus filters in an email to not do what makes admins cringe: forward the e-mail to someone else for an opinion. “Should I open this attachment that’s a zip file from This email address is being protected from spambots. You need JavaScript enabled to view it.?” No!

What happened that day? We had people sending us screen shots of the e-mail in question. That’s awesome. People will help you help them if you give them the tools and knowledge to do so. Who clicked on the dangerous link? Users who didn’t have adequate virus protection or the recent training. I won’t make that mistake again.

Issue #3: Home Networks (i.e., the Internet of Unprotected Things or IoUT)

This isn’t an issue due to what’s happened, but it’s an issue due to what can happen. More and more users are working from home on a regular basis. The question was brought up this week: How do we deal with security concerns by home users over a VPN tunnel? To be honest, I didn’t have a good answer. Unless we manage a user’s home network, we can’t be sure what they’ve got connected to their network, what kind of router they have, whether they’ve changed the default password, or if the router is 10 years old and is subject to serious security concerns. We don’t know if a router has an easily guessed secret support account. A compromised router can be used to carry out DNS redirection attacks, denial of service (DoS) attacks, and man-in-the-middle attacks to glean corporate data off the home network.

This needs to be on your radar because the problem is only going to get worse. And if users, not techs, are plugging in whatever devices they get from a hardware vendor or an ISP and taking for granted that they’re secure, then they’re in for a rude awakening.

Here are some quick examples:

300,000 routers from D-Link, TP-Link, Micronet, Tenda, and others are open to man-in-the-middle attacks.

Misfortune Cookie exposes 12 million residential network gateway devices to attack, threatening personal and enterprise data.

So what do we do? Buck the trend Yahoo-style and force workers back to the cubicles? It’s possible. Mandate specific hardware for home office use? This may be a trend many companies will be compelled to at least advise toward. Turning a blind eye doesn’t mean there’s not a severe threat to enterprise security. Until this security problem is addressed by hardware manufacturers and ISPs, new devices will continue to be put into homes. This doesn’t address the millions of corruptible devices in the wild already.

Keep it on your watch list. And don’t assume your data is safe just because people are coming in over your VPN.

Issue #4: We still had some users coming in over PPTP VPN.

I know. Somebody smack me. Luckily, it was a very small minority of our users, and it was addressed immediately. The service doesn’t operate anymore.

So if you’re still using PPTP, please have a look at this $200 tool that anyone can purchase to break it. After reading that, you should move off PPTP as it’s been broken for years. Essentially, anything is a better choice. For a good choice, check out OpenVPN.

Steve Pitcher
Steve Pitcher works with iTech Solutions, an IBM Premier Business Partner. He is a specialist in IBM i and IBM Power Systems solutions since 2001. Feel free to contact him directly This email address is being protected from spambots. You need JavaScript enabled to view it..
BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: